The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is a set of national standards that aim to protect the Electronic Protected Health Information (EPHI) of healthcare patients from unauthorized use or disclosure. Unlike the Privacy Rule, the Security Rule only affects electronic forms of PHI. Whether you are a doctor, chiropractor, dentists or any other covered entity, you should comply the Security Rule and its requirements to avoid being penalized by the Office for Civil Rights (OCR).
The HIPAA Security Rule contains three areas of importance in regards to compliance: technical, physical and administrative safeguards. Technical safeguards include technology (hence the name) that is used to protect EPHI. Whether at rest or in transit, EPHI must be encrypted to NIST standards, rendering any breach of EPHI unreadable. Encryption, however, is listed as an addressable specification, meaning covered entities are not required to implement it, only when its usage is meaningful and appropriate in protecting EPHI from disclosure
While technical safeguards are digital and cannot be touched, physical safeguards consist of tangible security measures that can be touched. Required specifications for physical safeguards as per the HIPAA Security Rule include the use policies and procedures for mobile devices on which EPHI is stored, as well as policies and procedures related to workstation use. Addressable specifications include facility access controls and keeping inventory of devices and hardware.
Most covered entities are familiar with technical and physical safeguards, but administrative safeguards can be somewhat confusing. Basically, administrative safeguards are policies and procedures from the Privacy Rule that are implemented in EPHI. Some of the required administrative safeguards include conducting risk assessments, creating a risk management policy, developing a contingency plan in the event of an emergency, and restricting third-party access to EPHI. Addressable specifications include reporting security incidents, testing of the contingency plan, and training employees on the nuances of the HIPAA Security and Privacy Rules.
In addition to implementing the necessary technical, physical and administrative safeguards, covered entities must also designate a Security Officer and Privacy Officer. The Security Officer is responsible for ensuring compliance with the Security Rule within the workplace, training workers on how to comply. The Privacy Officer is responsible for ensuring compliance with the Privacy Rule.
To recap, covered entities must implement the appropriate safeguards to protect EPHI from disclosure, as per the HIPAA Security Rule. Furthermore, a worker must be designated as the Security Officer. This worker can also take the role of Privacy Officer.